[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8E66544EA51548E2B809BBFB114876BD@W340>
Date: Sun, 3 Jan 2016 16:12:50 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers/self-extractors are vulnerable^WEVIL
(case 17): Kaspersky Labs utilities
Hi @ll,
quite some utilities offered for free by Kaspersky Lab load and execute
rogue/bogus DLLs (UXTheme.dll, HNetCfg.dll, RichEd20.dll, RASAdHlp.dll,
SetupAPI.dll, ClbCatQ.dll, XPSP2Res.dll, CryptNet.dll, OLEAcc.dll etc.)
eventually found in the directory they are started from (the "application
directory").
For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"
about this well-known and well-documented vulnerability.
If one of the DLLs named above gets planted in the user's "Downloads"
directory per "drive-by download" or "social engineering" this
vulnerability becomes a remote code execution.
Due to the application manifest embedded in some of the executables
which specifies "requireAdministrator" or the installer detection of
Windows' user account control theses installers/self-extractors are
started with administrative privileges ("protected" administrators are
prompted for consent, unprivileged standard users are prompted for an
administrator password); execution of any hijacked DLL results in
an escalation of privilege!
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be
dumped.
Kaspersky Lab published a security advisory 2015-12-23
<https://support.kaspersky.com/vulnerability.aspx?el=12430#231215>
after they made updated versions of their utilities available on
<https://support.kaspersky.com/viruses/utility>
stay tuned
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists